1. Field of the Invention
The invention relates to the general field of data security, and more specifically relates to a network security device that regulates the flow of data to and from a communication device.
2. Description of Related Art
Reference is made to FIG. 4 where the components of a prior art network system are shown. Network systems are generally comprised of one or more communication devices 12, a communication network 16, and one or more server computers 18. The communication devices 12 may be any type of computing device that is connected to a communication network 16. Examples of communication devices 12 may include, but are not limited to, personal computers, laptops, slim line computers, wireless communication devices, data terminals and any other device that is capable of transmitting data to a network.
The communication network 16 that is described herein, generally refers to the Internet, but could be any network which allows for terminals to be connected through any other suitable wired or wireless means for the exchange of data.
A server 18 is any server-type computer that has functionality that allows for a network connection, for example a web server on the Internet. A web server receives requests and processes requests for information to be accessed via hypertext transfer protocol (http) over the Internet.
For example purposes, using the Internet as the exemplar of a network, each communication device 12 and server 18 has associated with it an Internet Protocol (IP) address 20, shown on the figure as four numbers separated by periods (i.e. 64.233.187.99). Computers using the Internet access one or more Domain Name Servers (DNS) 10 to translate a domain name 21 (for example, bpmlegal.com) into a corresponding internet protocol (IP) address 22 for the server 18 hosting the domain (for example, 205.232.34.21). The interaction of the invention with Domain Name Servers 10 will be described in more detail below.
The term “data object” 14 is used to refer to any stream of data that originates from a communication device 12 and is destined for a destination address at a server 18 or other communication device 12. The data object may take various types of message formats including, but not limited to, any combination of cells, packets, and frames. The data objects 14 will vary in length and content depending on the particular application they were created by, and the address to which they are destined. The data object 14 may be transmitted in multiple parts, and the term data object is used to represent a group or block of data of varying size that is to be sent to one common destination address.
With the ever increasing proliferation of communication devices, along with methods to access the Internet, a growing number of people make use of the Internet on a daily basis. Recent statistics indicate that close to 900,000,000 people have Internet access in 2006. According to some estimates, this represents a 146% increase from 2000. Along with an increase in Internet usage, has come an increase in opportunities for fraud to be committed by exploiting people's use of the Internet.
People now rely on the Internet to conduct financial transactions, including banking and purchases of goods and services. In such transactions, sensitive information is often provided by the users. Other forms of sensitive information is often transmitted across the Internet as well, and may include personal information that people wish to keep private (i.e. social security number, passwords, account numbers and other personal data) for fear of it being used by unauthorized parties. As a greater number of people make use of the Internet, the potential for data being sent to, or intercepted by, unauthorized individuals who then use the data for malicious purposes is increasing.
A great deal of research and development effort has been focused on how to prevent unauthorized third parties from accessing sensitive information. As a result, encryption techniques have been developed, along with firewalls that are designed to ensure that only specified users access certain information. However, such methods do not take into account that information is often transmitted in unencrypted forms, and this information may contain sensitive information that is personal to the user that should be kept private. Also, as firewalls are implemented as software solutions, they are vulnerable to hacking.
From the perspective of corporate and personal finances, the last few decades have seen a metamorphosis from traditional banking methods, to nearly instantaneous electronic transactions. Bank branches have become inter-connected; overhead is reduced dramatically when systems that used to exist on mainframes and isolated machines are moved to network environments. With this increased connectivity, the financial abilities of businesses are rapidly changing, in some ways exponentially.
At the same time, corporations have incorporated evolving network technologies into their day-to-day affairs, linking satellite offices and branches into a centrally served, always on interconnected structure. This has allowed unprecedented levels of growth, information sharing, and business efficiency. Billions of paper documents have been put online, made searchable, and integrated into the corporate network. Email has become absolutely essential as a mode of communication at every level of a company's dealings.
With every additional step toward interconnectivity, however, the theoretical possibility of a security breach, an instance of identity theft, or direct monetary loss increases. As companies connect their branches together through the Internet, malicious web users are able to attack through numerous new vectors. These problems affect both companies and home users, truly anyone who has entered a piece of sensitive financial, or corporate information on their Internet-enabled computer, is at risk. The basic modern network is depicted in FIG. 4.
One of the most successful forms of attack is the scamming technique known as “phishing”, where information is stolen from a computer user through a complex act of deception. A report issued in May 2006 by Gartner Research estimated that between the banks and credit card issuers, $1.2 billion in damage was wrought on the US financial market alone, due solely to phishing scams. The rate and severity of these attacks is increasing at an exponential rate, as security holes are discovered and financial institutions scramble to protect their procedures.
Phishing can be seen as an prime example for social engineering toward a malicious goal. The concept is simple; the user is presented with an email or some sort of message, claiming to be from a financial institution. The message appears completely legitimate, using the company's logo or letterhead, and presenting a largely believable scenario to the user. Perhaps there has been a transaction problem, or the user is being asked to update their personal information. Upon clicking the link within the message, the user is presented with a website seemingly set up by the financial institution; indeed, it is identical in some instances, even with the same address in the browser's address bar. The website is owned, of course, by the malicious user, and is intended to trick the victim into entering their sensitive details, which are then sent directly to the attacker. This technique is unfortunately wildly successful.
Phishing is not the only form of attack that users must be wary of. Since corporations first began storing sensitive documents on their networks, attackers have been interested in stealing these secrets. Through complex methods used to “crack” a server, perhaps through a bug in the code, or an exploitable security hole, attackers are frequently able to gain access to a corporation's entire network, where they are free to delete files at will, or run destructive code. Worse, theft is becoming increasingly common, and the Internet is growing as one of the most powerful vectors for corporate espionage. The cost of such espionage can often be devastating.
Network firewalls as well as anti-viruses are limited because they can only detect known viruses or worms that have already been identified (usually after they have already attacked many computers). Network firewalls are based on packet filtering, which is limited in principle, since the rules of which packets to accept or not may contain for example subjective decisions based on trusting certain sites or certain applications. Once security is breached for any reason, for example due to an error or intended deception, a hostile application may take over the computer or server or the entire network and create unlimited damages (directly or by opening the door to additional malicious applications). They are also not effective against security holes for example in browsers or e-mail programs or in the operating system itself. According to many experts, security holes in critical applications are discovered so often that just keeping up with all the patches is impractical. Without proper generic protection for example against Trojan horses, which can identify any malicious program without prior knowledge about it, even VPNs and other forms of data encryption, including digital signatures, are not really safe because the information can be stolen before or below the encryption.
Another disturbing development in the field of computer viruses has been the creation of Trojan-proxy viruses. These viruses are transmitted in much the same way as typical infections, through email and illicit websites. They are often undetectable for a period after their creation, as is normally the case with viruses; this lag period is when security companies scramble to identify and remove the malicious code, and the removal tools are issued to their users in the form of a security update. Update diligence varies widely from company to company, and the period of time between a virus's inception and the application of the corresponding update can be anywhere from a few hours, to months. Anti Virus software, such as Norton or MacAfee, are by their nature reactive and their effectiveness is subject to the scanning schedules of the user, the availability of suitable anti-virus software updates and the users schedule to update this software. As well, firewall software is relatively superficial, and especially at the individual user level is not effective against many virus access routes such as e-mail and browser based transmissions.
A proxy server, by itself, is typically considered a tool of defense. Proxy servers essentially sit somewhere between a workstation or local network, and the rest of the Internet, translating and directing the traffic that they receive. This extra translation step serves to obfuscate the original sender of the data, because by the time the data reach the Internet, the “source” computer is the proxy server, not the original sender. Servers on the Internet then respond by sending data back to the proxy server, which re-translates the information and sends it back to the original workstation that made the request in the first place. In this sense the proxy server acts much like a router, but with a geographical advantage; the proxy server can be anywhere in the world, with an IP address completely unrelated to the local workstations or networks using the server.
For the security conscious, many proxy servers have been set up which do not require any sort of membership or personally identifiable information. These “anonymous” proxy servers accept connections from networks or workstations and perform the typical translations to hide the identity of the original sender, but their anonymous nature means that not even the owner of the proxy server knows who is using their services. Unfortunately, this is a very attractive prospect to virus senders, malicious hackers, and other unsavory types. Often multiple anonymous proxy servers are chained together, forwarding data from one to the other, making it nearly impossible to ascertain the original source of a virus or malicious command.
A Trojan-proxy virus, when it infects a user's computer, turns it into a private and anonymous proxy server without the owner's knowledge. From then on, the virus creator can use the computer as a staging point for attacks or further virus transmissions, with near impunity. One of the more worrying aspects of this scenario is the chance that a common user can be mistaken for a suspect during an investigation into electronic crime, since their computer may have been used (without their knowledge) as a proxy server for the actual attacker. This fact, not to mention the enormous toll taken on local bandwidth and system resources, is enough to highlight the potential danger of a Trojan-proxy infection.
As previously outlined, traditionally, the most effective protection against Trojan-proxy infections has been the use of a well-maintained virus scanner, and a properly installed firewall. The firewall would conceivably restrict the virus's pathways to the Internet, assuming it was using an uncommon port to make those connections; alternatively, the more comprehensive firewalls would recognize abnormal traffic patterns and either block them, or at least inform the user. This would typically provide a basic level of protection until a virus scanner update could be installed and the infection removed properly.
The mounting threat of phishing scams and information theft has not escaped the purview of some of the largest security firms, and Microsoft has deemed fit to include a brand new anti-phishing component within its next generation web browser, IE7. The technology relies on a number of key assumptions, and uses a series of basic analyses to determine if a site is malicious. The limitations of IE7 in detecting phishing scams are unfortunately prominent, and arise both from insufficient programming and an intrinsic inability for a software program to completely protect a system.
One of the primary methods IE7 uses to detect a malicious website is a client-side whitelist of “safe” websites which is transmitted incrementally from the central Microsoft server. The client computer appears to connect periodically to Microsoft in order to automatically update its whitelist, but the frequency of these updates or the manner in which the information is passed to the client computer, is currently known only to Microsoft. Logistically, this approach is largely trivial, as any meaningful whitelist would have to be enormous and constantly maintained as servers change and addresses migrate. Presumably the client-side list would be stored in some sort of encrypted archive, but the very idea that the database of safe sites is stored on the user's computer, means it is intrinsically vulnerable to modification. If a virus can crack the archive and insert false whitelisted addresses, the futility of such a measure is put into sharp relief.
Beyond the simple whitelist, IE7 attempts to perform a heuristic analysis on every site a user visits not on the whitelist. This heuristic analysis examines a site for clues indicative of a phishing scam, and upon detecting what it deems a positive result, sends the address in question to the Microsoft central server for further analysis. This behavior is the default, unfortunately, and does not bode well for legitimate site owners whose websites throw a false positive when examined by IE7. The most glaring fault, however, is the apparent ease in which one can submit a site to Microsoft for inclusion into the whitelist; it's apparently as simple as filling in a form. The process would presumably be somewhat automated, as the staff needed to manually examine every single whitelist submission would be staggering. This harks back to the problem inherent with security certificates; if the malicious user can obtain authentication, what good is the authentication process?
Firewalls, Intrusion Detection and Prevention Systems, as well as virus scanners and removal tools have typically existed as software installed on the end-user's computer, or as dedicated network nodes.
In the case of software, a myriad of problems exist which often compromise the objectivity of the security system; virus scanners must work within the confines of the operating system, and thus can be circumvented by new viruses, while firewalls can be bypassed through clever execution of malicious code. In short, no security software which runs on the same system it is attempting to protect, can ever be completely safe. Worse, with new rootkit viruses being developed at an accelerating rate, it is becoming more difficult to even detect whether or not a system has been compromised.
Dedicated network nodes overcome some of these problems, but face additional shortcomings due to their implementation. Network security nodes are typically accessed remotely (from elsewhere on the local network) through a website interface, or similar front-end which requires the node to have an IP address. Once the node has an address, it is completely visible on the network and can theoretically be attacked. Once the possibility for attack exists, the security of the node, and thus the security of the network itself is contingent on the ability of the network administrator to patch every hole and monitor every exploitable bug in order to keep intruders out of a system.
US published patent application 2004/0268147, “Integrated security system”, aims to use a variety of methods to examine the data payload of traffic for so-called “malicious content”. However; the invention does not appear to function invisibly on the network, and is thus vulnerable to attack. Beyond this, the above-described invention appears concerned exclusively with data originating on the external network and passing into the client node, rather than dealing with data bi-directionally.
U.S. Pat. No. 6,795,918, “Service level computer security” is essentially a less-complex and non-configurable fire-wall. The market is home/small office users who don't need the features of a full fledged firewall. The invention intercepts traffic packets, and works primarily with protocol, source port, and destination port data. There is no interface through which a user can configure the rules or the logic of the invention. The data analyzed by the “packet analyzer” segment of the invention is strictly from the packet headers, and not the information payload.
U.S. Pat. No. 7,023,861, “Malware scanning using a network bridge”, functions as a network bridge with the aim of scanning incoming files for “malware” or otherwise malicious pieces of code. It concatenates incoming data files from their individual packets, examines the data file, and either drops or passes the file to the client computer. Furthermore, the invention can examine packets to determine which ones to inspect. The invention operates unidirectionally (scanning incoming traffic).
Statutory Invention Registration (SIR) H1944, “Firewall security method and apparatus”, is a driver-based physical “dongle” attached to the parallel port on a client computer. All traffic to the client node must pass through the dongle. The firewall is controlled by device drivers installed on the client computer in the form of DLL files. Since the operating software for the device is run on the same computer as is using the device for communication, the software is subject to attack and subversion. The firewall can be updated through connection to an external server, over the Internet, though it does not rely on this server for normal operation. The firewall can check the contents of packets for such things as viruses and file characteristics, in both directions on the network. The firewall can monitor traffic for “suspected communications which may lead to a security breach”, wherein the implied “security breach” is an attack on the client computer, rather than a transmission of unauthorized sensitive information (eg. confidential documents). The device appears to be visible on the network, and makes no claim to work at the MAC level or any claim of functional network invisibility.